Several Vulnerabilities Found in Common Android IDEs Including Android Studio, IntelliJ IDEA, and Eclipse

When we think of Android vulnerabilities we typically picture a zero-day vulnerability that exploits some process to escalate privileges. This can be anything from tricking your smartphone or tablet into connecting to a malicious WiFi network, or allowing code to be executed on a device from a remote location. However, there’s a new type of Android vulnerability that has recently been discovered. It’s being called ParseDroid and it exploits developer tools including Android Studio, IntelliJ IDEA, Eclipse, APKTool, the Cuckoo-Droid service and more.

ParseDroid isn’t isolated to just Android’s developer tools, though, and these vulnerabilities have been found in multiple Java/Android tools that programmers are using these days. It doesn’t matter if you’re using a downloadable developer tool or one that works in the cloud, Check Point Research has found these vulnerabilities in the most common Android and Java development tools. Once exploited, an attacker is then able to access internal files of the developer’s work machine.

Check Point Research first did some digging into the most popular tool for reverse engineering third party Android apps (APKTool) and found that both its decompiling and building APK features are vulnerable to the attack. After looking at the source code, researchers managed to identify an XML External Entity (XXE) vulnerability that is possible because its configured XML parser of APKTool does not disable external entity references when parsing an XML file.

Once exploited, the vulnerability exposes the whole OS file system of APKTool users. In turn, this potentially allows the attacker to retrieve any file on the victim’s PC by using a malicious “AndroidManifest.xml” file that exploits an XXE vulnerability. Once that vulnerability was discovered, the researchers then looked at popular Android IDEs and found out that by simply loading the malicious “AndroidManifest.xml” file as part of any Android project, the IDEs starts spitting out any file configured by the attacker.